From cc1e80117412aa8b567256da4d7cd6a22ea599c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 27 Oct 2022 16:42:38 +0200 Subject: [PATCH] add test and fix systemd to reload secrets on reload --- nix/checks/nixos-test.nix | 42 ++++++++++++++++++++++++++++------- nix/modules/vault-secrets.nix | 4 +++- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/nix/checks/nixos-test.nix b/nix/checks/nixos-test.nix index f9be5d2..520f6fb 100644 --- a/nix/checks/nixos-test.nix +++ b/nix/checks/nixos-test.nix @@ -38,6 +38,7 @@ in { config = { role_id_file_path = "/tmp/roleID"; secret_id_file_path = "/tmp/secretID"; + remove_secret_id_file_after_reading = false; }; } ]; @@ -91,12 +92,12 @@ in { wantedBy = ["multi-user.target"]; script = '' cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2 + sleep infinity ''; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - LoadCredential = ["secret:/run/systemd-vaultd/sock"]; - }; + reload = '' + cat $CREDENTIALS_DIRECTORY/secret > /tmp/service2-reload + ''; + serviceConfig.LoadCredential = ["secret:/run/systemd-vaultd/sock"]; vault = { template = '' {{ with secret "secret/blocking-secret" }}{{ scratch.MapSet "secrets" "secret" .Data.data.foo }}{{ end }} @@ -106,6 +107,17 @@ in { }; }; + systemd.package = pkgs.systemd.overrideAttrs (old: { + patches = + old.patches + ++ [ + (pkgs.fetchpatch { + url = "https://github.com/Mic92/systemd/commit/93a2921a81cab3be9b7eacab6b0095c96a0ae9e2.patch"; + sha256 = "sha256-7WlhMLE7sfD3Cxn6n6R1sUNzUOvas7XMyabi3bsq7jM="; + }) + ]; + }); + services.vault.agents.default.settings = { vault = { address = "http://localhost:8200"; @@ -117,6 +129,7 @@ in { config = { role_id_file_path = "/tmp/roleID"; secret_id_file_path = "/tmp/secretID"; + remove_secret_id_file_after_reading = false; }; } ]; @@ -132,11 +145,24 @@ in { out = machine.succeed("cat /tmp/service1") print(out) assert out == "bar", f"{out} != bar" - out = machine.succeed("systemctl list-jobs") + + out = machine.succeed("systemctl status service2") print(out) - assert "service2.service" in out, "service2 should be still blocked" + assert "(sd-mkdcreds)" in out, "service2 should be still blocked" + machine.succeed("vault kv put secret/blocking-secret foo=bar") - machine.wait_for_unit("service2.service") + out = machine.wait_until_succeeds("cat /tmp/service2") + print(out) + assert out == "bar", f"{out} != bar" + + machine.succeed("vault kv put secret/blocking-secret foo=reload") + machine.succeed("rm /run/systemd-vaultd/secrets/service2.service.json") + machine.succeed("systemctl restart vault-agent-default") + machine.wait_until_succeeds("cat /run/systemd-vaultd/secrets/service2.service.json >&2") + machine.succeed("systemctl reload service2") + out = machine.wait_until_succeeds("cat /tmp/service2-reload") + print(out) + assert out == "reload", f"{out} != reload" ''; }; unittests = makeTest' { diff --git a/nix/modules/vault-secrets.nix b/nix/modules/vault-secrets.nix index 3b18e17..88408b3 100644 --- a/nix/modules/vault-secrets.nix +++ b/nix/modules/vault-secrets.nix @@ -54,7 +54,9 @@ in { type = lib.types.attrsOf (lib.types.submodule ({config, ...}: { options.vault = { changeAction = lib.mkOption { - description = "What to do if any secrets in the environment change."; + description = '' + What to do with the service if any secrets change + ''; type = lib.types.nullOr (lib.types.enum [ "none" "reload-or-restart"